Many organizations struggle to define mobile work/play boundaries

The K-12 private education Paideia School in Atlanta now hands out about 550 Apple iPads each year to students for classroom teaching and homework purposes. And while students love them, some parents are now pressing the IT department to restrict use of apps on the devices because they think there's too much game-playing.

"We don't block the apps the students are using, and a lot of students are playing Angry Birds,' something we don't want," says Brian Meeks, network engineer at Paideia School. Teachers there have embraced iPads as an academic tool for classroom learning, and the school's philosophy is to encourage students to adhere to using iPads only for schoolwork. But kids will be kids, and their parents are noticing their children see the iPads as great toys as well.

Meeks says the school may well have to reluctantly make the decision to put tighter controls on the school's iPads.Paideia School has deployed the mobile-device management (MDM) software Sophos Mobile Control on the student iPads for purposes that include managing inventory, configuring and installing apps, and checking to make sure iPads aren't "jailbroken." In the future, Sophos Mobile Control may be used to restrict the apps that students use, too, says Meeks.

Differentiating between apps for work and play is not just an issue for schools. Businesses and government have similar concerns about work and personal apps. Most of the MDM software can use whitelisting to restrict apps, points out Andrew Braunberg, research director at NSS Labs, which does analysis and testing of network gear.

But many organizations want to go further than just whitelisting, Braunberg notes, by creating a "secure workspace" on mobile devices, whether these are corporate-issued or the employee's own "Bring Your Own Device" (BYOD) personal mobile device.

One challenge in doing this, says Braunberg, is that the popular mobile platforms, especially the ubiquitous Apple iOS and Google Android, are changing fast, creating both the opportunity to do new things but the struggle of keeping up with the latest bells and whistles.

The Apple iOS 7 platform, for example, "has an additional way to do containerization through what's called Managed Open In'," says Braunberg. Apple's Managed Open In' feature in iOS 7 lets IT managers control which apps and accounts are used to open documents and attachments. It can prevent personal documents from being opened in managed apps.

There are many other approaches to this idea of "secure workspace" and NSS Labs goes into several of them in its report out this week entitled, "Need for Data Isolation Drives Innovation" on which it reviews a number of today's mobile application management (MAM) options.

"The list is in no way comprehensive," Braunberg acknowledges, noting there are several more in the MDM/MAM software market today. But each in the NSS Labs report "introduce trade-offs in usability and app development overhead" that NSS Labs says should be carefully considered before jumping in.

The report notes that some vendor offerings are "offered only through service provider or device manufacturer channel relationships," the NSS Labs report points out. "Within the United States, both AT&T and Verizon have been actively working to deliver secure workspace services. AT&T is currently partnered with Enterproid and OpenPeak, while Verizon is currently partnered with Enterproid and VMware."

Braunberg says the "main questions that any organization needing to control apps should be asking are: How will it impact the user experience? What's the impact on the development community?" To build certain kinds of "hardened apps," for example, that use code libraries for encryption authentication and VPNs, he points out, might mean a major commitment of development time and money.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.